summaryrefslogtreecommitdiffstats
path: root/deploy
diff options
context:
space:
mode:
authorHarry Huang <huangxiangyu5@huawei.com>2016-11-28 17:25:35 +0800
committerHarry Huang <huangxiangyu5@huawei.com>2016-11-28 17:25:35 +0800
commitd31318470bcfb236e2ed9356e0e61f34fe85cc80 (patch)
tree0fbe52f7ad11e65c0ef1470fd899d242e796eece /deploy
parent55a61f037dd6c089f734c4cd53af072562b7fc51 (diff)
add congress support
JIRA: COMPASS-367 add congress support in openstack_mitaka and openstack_newton_xenial Change-Id: I3aa19cb54081ad2300964955b899c1b56a875b25 Signed-off-by: Harry Huang <huangxiangyu5@huawei.com>
Diffstat (limited to 'deploy')
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf37
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service19
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml12
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml31
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml31
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml28
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml25
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml20
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini34
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf510
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json6
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml21
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml21
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml12
-rwxr-xr-xdeploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg227
-rwxr-xr-x[-rw-r--r--]deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml32
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service19
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml12
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml15
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml28
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml37
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml16
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini34
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf510
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json6
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml21
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml12
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg11
-rw-r--r--deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml55
29 files changed, 1820 insertions, 22 deletions
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf
new file mode 100755
index 00000000..22a64a66
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf
@@ -0,0 +1,37 @@
+description "OpenStack Congress Server"
+author "Thomas Goirand <zigo@debian.org>"
+
+start on runlevel [2345]
+stop on runlevel [!2345]
+
+chdir /var/run
+
+respawn
+respawn limit 20 5
+limit nofile 65535 65535
+
+pre-start script
+ for i in lock run log lib ; do
+ mkdir -p /var/$i/congress
+ chown root /var/$i/congress
+ done
+end script
+
+script
+ [ -x "/usr/local/bin/congress-server" ] || exit 0
+ DAEMON_ARGS=""
+ CONFIG_FILE="/etc/congress/congress.conf"
+ USE_SYSLOG=""
+ USE_LOGFILE=""
+ NO_OPENSTACK_CONFIG_FILE_DAEMON_ARG=""
+ [ -r /etc/default/openstack ] && . /etc/default/openstack
+ [ -r /etc/default/$UPSTART_JOB ] && . /etc/default/$UPSTART_JOB
+ [ "x$USE_SYSLOG" = "xyes" ] && DAEMON_ARGS="$DAEMON_ARGS --use-syslog"
+ [ "x$USE_LOGFILE" != "xno" ] && DAEMON_ARGS="$DAEMON_ARGS --log-file=/var/log/congress/congress.log"
+ [ -z "$NO_OPENSTACK_CONFIG_FILE_DAEMON_ARG" ] && DAEMON_ARGS="$DAEMON_ARGS --config-file=$CONFIG_FILE"
+
+ exec start-stop-daemon --start --chdir /var/lib/congress \
+ --chuid root:root --make-pidfile --pidfile /var/run/congress/congress.pid \
+ --exec /usr/local/bin/congress-server -- ${DAEMON_ARGS}
+end script
+
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service
new file mode 100755
index 00000000..23db7b0e
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenStack Congress server
+After=
+
+[Service]
+User=root
+Group=root
+Type=simple
+WorkingDirectory=/var/lib/congress
+PermissionsStartOnly=true
+ExecStartPre=/bin/mkdir -p /var/lock/congress /var/log/congress /var/lib/congress
+ExecStartPre=/usr/bin/touch /var/log/congress/congress.log
+ExecStart=/usr/bin/congress-server --config-file /etc/congress/congress.conf
+Restart=on-failure
+LimitNOFILE=65535
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml
new file mode 100755
index 00000000..cf535a11
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml
@@ -0,0 +1,12 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: restart congress services
+ service: name={{ item }} state=restarted enabled=yes
+ with_items: services | union(services_noarch)
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml
new file mode 100755
index 00000000..c5d7cce7
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml
@@ -0,0 +1,31 @@
+##############################################################################
+## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+##
+## All rights reserved. This program and the accompanying materials
+## are made available under the terms of the Apache License, Version 2.0
+## which accompanies this distribution, and is available at
+## http://www.apache.org/licenses/LICENSE-2.0
+###############################################################################
+---
+- name: upgrade openstackclient
+ pip: name=python-openstackclient state=latest
+
+- name: create congress service
+ copy: src=congress.conf dest=/etc/init
+
+- name: create congress service work dir
+ file: path=/var/lib/congress state=directory
+
+- name: link the congress service
+ file:
+ src: /etc/init/congress.conf
+ dest: /etc/init.d/congress
+ state: link
+
+- name: congress db sync
+ shell: /usr/local/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head
+ when: inventory_hostname == haproxy_hosts.keys()[0]
+
+- name: start congress service
+ shell: service congress start
+
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml
new file mode 100755
index 00000000..e922c508
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml
@@ -0,0 +1,31 @@
+##############################################################################
+## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+##
+## All rights reserved. This program and the accompanying materials
+## are made available under the terms of the Apache License, Version 2.0
+## which accompanies this distribution, and is available at
+## http://www.apache.org/licenses/LICENSE-2.0
+###############################################################################
+---
+- name: upgrade openstackclient
+ pip: name=python-openstackclient state=latest
+
+- name: create congress service
+ copy: src=congress.service dest=/lib/systemd/system/
+
+- name: create congress service work dir
+ file: path=/var/lib/congress state=directory
+
+- name: link the congress service
+ file:
+ src: /lib/systemd/system/congress.service
+ dest: /etc/systemd/system/multi-user.target.wants/congress.service
+ state: link
+
+- name: congress db sync
+ shell: /usr/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head
+ when: inventory_hostname == haproxy_hosts.keys()[0]
+
+- name: start congress service
+ shell: service congress start
+
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml
new file mode 100755
index 00000000..1883509b
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml
@@ -0,0 +1,28 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: create congress db
+ mysql_db:
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ name: "{{ item.db }}"
+ state: present
+ with_items: "{{ credentials }}"
+
+- name: create congress db user
+ mysql_user:
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ name: "{{ item[0].user }}"
+ password: "{{ item[0].password }}"
+ priv: "*.*:ALL,GRANT"
+ host: "{{ item[1] }}"
+ state: present
+ with_nested:
+ - "{{ credentials }}"
+ - ['%', 'localhost']
+
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml
new file mode 100755
index 00000000..65daff3e
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml
@@ -0,0 +1,25 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: install congress packages
+ pip: name={{ item }} state=present
+ with_items: packages
+
+- name: create congress etc directory
+ file: path=/etc/congress state=directory
+
+- name: update congress conf
+ template: src={{ item }} dest=/etc/congress/{{ item }}
+ backup=yes
+ with_items:
+ - congress.conf
+ - api-paste.ini
+ - policy.json
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml
new file mode 100755
index 00000000..2cbd619c
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml
@@ -0,0 +1,20 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include: congress_install.yml
+
+- include: congress_db.yml
+ when:
+ - inventory_hostname == haproxy_hosts.keys()[0]
+
+- include: congress_config_debian.yml
+ when: ansible_os_family == "Debian"
+
+- include: congress_config_redhat.yml
+ when: ansible_os_family == "RedHat"
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini
new file mode 100755
index 00000000..39be570b
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini
@@ -0,0 +1,34 @@
+[composite:congress]
+use = egg:Paste#urlmap
+/: congressversions
+/v1: congress_api_v1
+
+[pipeline:congressversions]
+pipeline = cors catch_errors congressversionapp
+
+[app:congressversionapp]
+paste.app_factory = congress.api.versions:Versions.factory
+
+[composite:congress_api_v1]
+use = call:congress.auth:pipeline_factory
+keystone = cors request_id catch_errors authtoken keystonecontext congress_api
+noauth = cors request_id catch_errors congress_api
+
+[app:congress_api]
+paste.app_factory = congress.service:congress_app_factory
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:catch_errors]
+paste.filter_factory = oslo_middleware:CatchErrors.factory
+
+[filter:keystonecontext]
+paste.filter_factory = congress.auth:CongressKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = congress
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf
new file mode 100755
index 00000000..0305b418
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf
@@ -0,0 +1,510 @@
+{% set memcached_servers = [] %}
+{% set rabbitmq_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% set _ = rabbitmq_servers.append('%s:5672'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+{% set rabbitmq_servers = rabbitmq_servers|join(',') %}
+[DEFAULT]
+
+#
+# From congress
+#
+# The host IP to bind to (string tmq_serversvalue)
+bind_host = {{ internal_ip }}
+
+# The port to bind to (port value)
+# Minimum value: 0
+# Maximum value: 65535
+bind_port = 1789
+
+# Thread pool size for eventlet. (integer value)
+#max_simultaneous_requests = 1024
+
+# Set this to true to enable TCP_KEEALIVE socket option on connections received
+# by the API server. (boolean value)
+#tcp_keepalive = false
+
+# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
+# applies if tcp_keepalive is true. Not supported on OS X. (integer value)
+#tcp_keepidle = 600
+
+# The path to the latest policy dump (string value)
+policy_path = /etc/congress/policy.json
+
+# The file containing datasource configuration (string value)
+#datasource_file = <None>
+
+# The absolute path to the congress repo (string value)
+#root_path = <None>
+
+# The number of worker processes to serve the congress API application.
+# (integer value)
+#api_workers = 1
+
+# The API paste config file to use (string value)
+#api_paste_config = api-paste.ini
+
+# The type of authentication to use (string value)
+auth_strategy = keystone
+
+# List of driver class paths to import. (list value)
+drivers = congress.datasources.neutronv2_driver.NeutronV2Driver,congress.datasources.glancev2_driver.GlanceV2Driver,congress.datasources.nova_driver.NovaDriver,congress.datasources.keystone_driver.KeystoneDriver,congress.datasources.ceilometer_driver.CeilometerDriver,congress.datasources.cinder_driver.CinderDriver,congress.datasources.swift_driver.SwiftDriver,congress.datasources.plexxi_driver.PlexxiDriver,congress.datasources.vCenter_driver.VCenterDriver,congress.datasources.cloudfoundryv2_driver.CloudFoundryV2Driver,congress.datasources.murano_driver.MuranoDriver,congress.datasources.ironic_driver.IronicDriver
+
+
+# The number of seconds to wait between synchronizing datasource config from
+# the database (integer value)
+#datasource_sync_period = 0
+
+# Sets the flag to False if you don't want the congress to execute actions.
+# (boolean value)
+#enable_execute_action = true
+
+# The flag to use congress new distributed architecture.Don't set it to True in
+# L release since the new architecture is under implementation. (boolean value)
+#distributed_architecture = false
+
+# Explicitly specify the temporary working directory (string value)
+#tempdir = <None>
+
+# Make exception message format errors fatal (boolean value)
+#fatal_exception_format_errors = false
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+debug = True
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+log_file = congress.log
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+log_dir = /var/log/congress
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = true
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[cors]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id
+
+
+[database]
+
+#
+# From oslo.db
+#
+
+# DEPRECATED: The file name to use with SQLite. (string value)
+# Deprecated group/name - [DEFAULT]/sqlite_db
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Should use config option connection or slave_connection to connect
+# the database.
+#sqlite_db = oslo.sqlite
+
+# If True, SQLite uses synchronous mode. (boolean value)
+# Deprecated group/name - [DEFAULT]/sqlite_synchronous
+#sqlite_synchronous = true
+
+# The back end to use for the database. (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
+#backend = sqlalchemy
+
+# The SQLAlchemy connection string to use to connect to the database. (string
+# value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
+connection = mysql+pymysql://congress:{{ CONGRESS_DBPASS }}@{{ db_host }}/congress
+
+# The SQLAlchemy connection string to use to connect to the slave database.
+# (string value)
+#slave_connection = <None>
+
+# The SQL mode to be used for MySQL sessions. This option, including the
+# default, overrides any server-set SQL mode. To use whatever SQL mode is set
+# by the server configuration, set this to no value. Example: mysql_sql_mode=
+# (string value)
+#mysql_sql_mode = TRADITIONAL
+
+# Timeout before idle SQL connections are reaped. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
+#idle_timeout = 3600
+
+# Minimum number of SQL connections to keep open in a pool. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
+#min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool. Setting a value of
+# 0 indicates no limit. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
+#max_pool_size = 5
+
+# Maximum number of database connection retries during startup. Set to -1 to
+# specify an infinite retry count. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
+#max_retries = 10
+
+# Interval between retries of opening a SQL connection. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
+#retry_interval = 10
+
+# If set, use this value for max_overflow with SQLAlchemy. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
+#max_overflow = 50
+
+# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
+# value)
+# Minimum value: 0
+# Maximum value: 100
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
+#connection_debug = 0
+
+# Add Python stack traces to SQL as comment strings. (boolean value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
+#connection_trace = false
+
+# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
+#pool_timeout = <None>
+
+# Enable the experimental use of database reconnect on connection lost.
+# (boolean value)
+#use_db_reconnect = false
+
+# Seconds between retries of a database transaction. (integer value)
+#db_retry_interval = 1
+
+# If True, increases the interval between retries of a database operation up to
+# db_max_retry_interval. (boolean value)
+#db_inc_retry_interval = true
+
+# If db_inc_retry_interval is set, the maximum seconds between retries of a
+# database operation. (integer value)
+#db_max_retry_interval = 10
+
+# Maximum retries in case of connection error or deadlock error before error is
+# raised. Set to -1 to specify an infinite retry count. (integer value)
+#db_max_retries = 20
+
+
+[keystone_authtoken]
+
+#
+# From keystonemiddleware.auth_token
+#
+
+# Complete "public" Identity API endpoint. This endpoint should not be an
+# "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. (string
+# value)
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+project_name = service
+password = {{ CONGRESS_PASS }}
+username = congress
+auth_type = password
+# API version of the admin Identity API endpoint. (string value)
+
+# Do not handle authorization requests within the middleware, but delegate the
+# authorization decision to downstream WSGI components. (boolean value)
+#delay_auth_decision = false
+
+# Request timeout value for communicating with Identity API server. (integer
+# value)
+#http_connect_timeout = <None>
+
+# How many times are we trying to reconnect when communicating with Identity
+# API Server. (integer value)
+#http_request_max_retries = 3
+
+# Request environment key where the Swift cache object is stored. When
+# auth_token middleware is deployed with a Swift cache, use this option to have
+# the middleware share a caching backend with swift. Otherwise, use the
+# ``memcached_servers`` option instead. (string value)
+#cache = <None>
+
+# Required if identity server requires client certificate (string value)
+#certfile = <None>
+
+# Required if identity server requires client certificate (string value)
+#keyfile = <None>
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+# Defaults to system CAs. (string value)
+#cafile = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# The region in which the identity server can be found. (string value)
+#region_name = <None>
+
+# Directory used to cache files related to PKI tokens. (string value)
+#signing_dir = <None>
+
+# Optionally specify a list of memcached server(s) to use for caching. If left
+# undefined, tokens will instead be cached in-process. (list value)
+# Deprecated group/name - [keystone_authtoken]/memcache_servers
+#memcached_servers = <None>
+
+# In order to prevent excessive effort spent validating tokens, the middleware
+# caches previously-seen tokens for a configurable duration (in seconds). Set
+# to -1 to disable caching completely. (integer value)
+#token_cache_time = 300
+
+# Determines the frequency at which the list of revoked tokens is retrieved
+# from the Identity service (in seconds). A high number of revocation events
+# combined with a low cache duration may significantly reduce performance. Only
+# valid for PKI tokens. (integer value)
+#revocation_cache_time = 10
+
+# (Optional) If defined, indicate whether token data should be authenticated or
+# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
+# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+# cache. If the value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+# Allowed values: None, MAC, ENCRYPT
+#memcache_security_strategy = None
+
+# (Optional, mandatory if memcache_security_strategy is defined) This string is
+# used for key derivation. (string value)
+#memcache_secret_key = <None>
+
+# (Optional) Number of seconds memcached server is considered dead before it is
+# tried again. (integer value)
+#memcache_pool_dead_retry = 300
+
+# (Optional) Maximum total number of open connections to every memcached
+# server. (integer value)
+#memcache_pool_maxsize = 10
+
+# (Optional) Socket timeout in seconds for communicating with a memcached
+# server. (integer value)
+#memcache_pool_socket_timeout = 3
+
+# (Optional) Number of seconds a connection to memcached is held unused in the
+# pool before it is closed. (integer value)
+#memcache_pool_unused_timeout = 60
+
+# (Optional) Number of seconds that an operation will wait to get a memcached
+# client connection from the pool. (integer value)
+#memcache_pool_conn_get_timeout = 10
+
+# (Optional) Use the advanced (eventlet safe) memcached client pool. The
+# advanced pool will only work under python 2.x. (boolean value)
+#memcache_use_advanced_pool = false
+
+# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+# middleware will not ask for service catalog on token validation and will not
+# set the X-Service-Catalog header. (boolean value)
+#include_service_catalog = true
+
+# Used to control the use and type of token binding. Can be set to: "disabled"
+# to not check token binding. "permissive" (default) to validate binding
+# information if the bind type is of a form known to the server and ignore it
+# if not. "strict" like "permissive" but if the bind type is unknown the token
+# will be rejected. "required" any form of token binding is needed to be
+# allowed. Finally the name of a binding method that must be present in tokens.
+# (string value)
+#enforce_token_bind = permissive
+
+# If true, the revocation list will be checked for cached tokens. This requires
+# that PKI tokens are configured on the identity server. (boolean value)
+#check_revocations_for_cached = false
+
+# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
+# or multiple. The algorithms are those supported by Python standard
+# hashlib.new(). The hashes will be tried in the order given, so put the
+# preferred one first for performance. The result of the first hash will be
+# stored in the cache. This will typically be set to multiple values only while
+# migrating from a less secure algorithm to a more secure one. Once all the old
+# tokens are expired this option should be set to a single value for better
+# performance. (list value)
+#hash_algorithms = md5
+
+# Authentication type to load (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_plugin
+#auth_type = <None>
+
+# Config Section from which to load plugin specific options (string value)
+#auth_section = <None>
+
+
+[oslo_policy]
+
+#
+# From oslo.policy
+#
+
+# The JSON file that defines policies. (string value)
+# Deprecated group/name - [DEFAULT]/policy_file
+#policy_file = policy.json
+
+# Default rule. Enforced when a requested rule is not found. (string value)
+# Deprecated group/name - [DEFAULT]/policy_default_rule
+#policy_default_rule = default
+
+# Directories where policy configuration files are stored. They can be relative
+# to any directory in the search path defined by the config_dir option, or
+# absolute paths. The file defined by policy_file must exist for these
+# directories to be searched. Missing or empty directories are ignored. (multi
+# valued)
+# Deprecated group/name - [DEFAULT]/policy_dirs
+#policy_dirs = policy.d
+
+[oslo_messaging_rabbit]
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_hosts = {{ rabbitmq_servers }}
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json
new file mode 100755
index 00000000..4476051d
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json
@@ -0,0 +1,6 @@
+{
+ "context_is_admin": "role:admin",
+ "admin_only": "rule:context_is_admin",
+ "regular_user": "",
+ "default": "rule:admin_only"
+}
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml
new file mode 100755
index 00000000..1cc4645e
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml
@@ -0,0 +1,21 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+packages:
+ - congress
+ - python-congressclient
+ - python-cloudfoundryclient
+
+service:
+ - congress
+
+credentials:
+ - user: congress
+ db: congress
+ password: "{{ CONGRESS_DBPASS }}"
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml
new file mode 100755
index 00000000..15916e69
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml
@@ -0,0 +1,21 @@
+##############################################################################
+## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+##
+## All rights reserved. This program and the accompanying materials
+## are made available under the terms of the Apache License, Version 2.0
+## which accompanies this distribution, and is available at
+## http://www.apache.org/licenses/LICENSE-2.0
+###############################################################################
+---
+packages:
+ - congress
+ - python-congressclient
+ - python-cloudfoundryclient
+
+service:
+ - congress
+
+credentials:
+ - user: congress
+ db: congress
+ password: "{{ CONGRESS_DBPASS }}"
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml
new file mode 100755
index 00000000..f6fef749
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml
@@ -0,0 +1,12 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+packages_noarch: []
+
+services_noarch: []
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg b/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg
new file mode 100755
index 00000000..5fbcc9d9
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg
@@ -0,0 +1,227 @@
+
+global
+ #chroot /var/run/haproxy
+ daemon
+ user haproxy
+ group haproxy
+ maxconn 4000
+ pidfile /var/run/haproxy/haproxy.pid
+ #log 127.0.0.1 local0
+ tune.bufsize 1000000
+ stats socket /var/run/haproxy.sock
+ stats timeout 2m
+
+defaults
+ log global
+ maxconn 8000
+ option redispatch
+ option dontlognull
+ option splice-auto
+ timeout http-request 10s
+ timeout queue 1m
+ timeout connect 10s
+ timeout client 50s
+ timeout server 50s
+ timeout check 10s
+ retries 3
+
+listen proxy-mysql
+ bind {{ internal_vip.ip }}:3306
+ option tcpka
+ option tcplog
+ balance source
+{% for host, ip in haproxy_hosts.items() %}
+{% if loop.index == 1 %}
+ server {{ host }} {{ ip }}:3306 weight 1 check inter 2000 rise 2 fall 5
+{% else %}
+ server {{ host }} {{ ip }}:3306 weight 1 check inter 2000 rise 2 fall 5 backup
+{% endif %}
+{% endfor %}
+
+listen proxy-rabbit
+ bind {{ internal_vip.ip }}:5672
+ bind {{ public_vip.ip }}:5672
+
+ option tcpka
+ option tcplog
+ timeout client 3h
+ timeout server 3h
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:5672 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-glance_registry_cluster
+ bind {{ internal_vip.ip }}:9191
+ bind {{ public_vip.ip }}:9191
+ option tcpka
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:9191 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-glance_api_cluster
+ bind {{ internal_vip.ip }}:9292
+ bind {{ public_vip.ip }}:9292
+ option tcpka
+ option tcplog
+ option httpchk
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:9292 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova-novncproxy
+ bind {{ internal_vip.ip }}:6080
+ bind {{ public_vip.ip }}:6080
+ option tcpka
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:6080 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-network
+ bind {{ internal_vip.ip }}:9696
+ bind {{ public_vip.ip }}:9696
+ option tcpka
+ option tcplog
+ balance source
+ option httpchk
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:9696 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-volume
+ bind {{ internal_vip.ip }}:8776
+ bind {{ public_vip.ip }}:8776
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8776 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-keystone_admin_cluster
+ bind {{ internal_vip.ip }}:35357
+ bind {{ public_vip.ip }}:35357
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:35357 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-keystone_public_internal_cluster
+ bind {{ internal_vip.ip }}:5000
+ bind {{ public_vip.ip }}:5000
+ option tcpka
+ option httpchk
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:5000 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova_compute_api_cluster
+ bind {{ internal_vip.ip }}:8774
+ bind {{ public_vip.ip }}:8774
+ mode tcp
+ option httpchk
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8774 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-nova_metadata_api_cluster
+ bind {{ internal_vip.ip }}:8775
+ bind {{ public_vip.ip }}:8775
+ option tcpka
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8775 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-cinder_api_cluster
+ bind {{ internal_vip.ip }}:8776
+ bind {{ public_vip.ip }}:8776
+ mode tcp
+ option httpchk
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8776 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+#listen proxy-swift-proxy
+# bind {{ internal_vip.ip }}:8080
+# bind {{ public_vip.ip }}:8080
+# balance source
+# option tcpka
+# option tcplog
+#{% for host,ip in haproxy_hosts.items() %}
+# server {{ host }} {{ ip }}:8080 weight 1 check inter 2000 rise 2 fall 5
+#{% endfor %}
+
+listen proxy-ceilometer_api_cluster
+ bind {{ internal_vip.ip }}:8777
+ bind {{ public_vip.ip }}:8777
+ mode tcp
+ option tcp-check
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8777 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-aodh_api_cluster
+ bind {{ internal_vip.ip }}:8042
+ bind {{ public_vip.ip }}:8042
+ mode tcp
+ option tcp-check
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:8042 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-congress_api_cluster
+ bind {{ internal_vip.ip }}:1789
+ bind {{ public_vip.ip }}:1789
+ mode tcp
+ option tcp-check
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:1789 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen proxy-dashboarad
+ bind {{ public_vip.ip }}:80
+ mode http
+ balance source
+ capture cookie vgnvisitor= len 32
+ cookie SERVERID insert indirect nocache
+ option forwardfor
+ option httpchk
+ option httpclose
+ rspidel ^Set-cookie:\ IP=
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:80 cookie {{ host }} weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen stats
+ mode http
+ bind 0.0.0.0:9999
+ stats enable
+ stats refresh 30s
+ stats uri /
+ stats realm Global\ statistics
+ stats auth admin:admin
+
+
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml
index b049ee0b..baaf89e1 100644..100755
--- a/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml
+++ b/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml
@@ -92,6 +92,22 @@ os_services:
internalurl: "http://{{ internal_vip.ip }}:8000/v1"
adminurl: "http://{{ internal_vip.ip }}:8000/v1"
+ - name: congress
+ type: policy
+ region: RegionOne
+ description: "OpenStack Policy Service"
+ publicurl: "http://{{ public_vip.ip }}:1789"
+ internalurl: "http://{{ internal_vip.ip }}:1789"
+ adminurl: "http://{{ internal_vip.ip }}:1789"
+
+# - name: swift
+# type: object-store
+# region: RegionOne
+# description: "OpenStack Object Storage"
+# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+
os_users:
- user: admin
password: "{{ ADMIN_PASS }}"
@@ -156,9 +172,23 @@ os_users:
tenant: service
tenant_description: "Service Tenant"
+ - user: congress
+ password: "{{ CONGRESS_PASS }}"
+ email: congress@admin.com
+ role: admin
+ tenant: service
+ tenant_description: "Service Tenant"
+
- user: demo
- password: "{{ DEMO_PASS }}"
+ password: ""
email: heat@demo.com
role: heat_stack_user
tenant: demo
tenant_description: "Demo Tenant"
+
+# - user: swift
+# password: "{{ CINDER_PASS }}"
+# email: swift@admin.com
+# role: admin
+# tenant: service
+# tenant_description: "Service Tenant"
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service
new file mode 100644
index 00000000..4ec26c8c
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenStack Congress server
+After=
+
+[Service]
+User=root
+Group=root
+Type=simple
+WorkingDirectory=/var/lib/congress
+PermissionsStartOnly=true
+ExecStartPre=/bin/mkdir -p /var/lock/congress /var/log/congress /var/lib/congress
+ExecStartPre=/usr/bin/touch /var/log/congress/congress.log
+ExecStart=/usr/local/bin/congress-server --config-file /etc/congress/congress.conf
+Restart=on-failure
+LimitNOFILE=65535
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml
new file mode 100644
index 00000000..cf535a11
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml
@@ -0,0 +1,12 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: restart congress services
+ service: name={{ item }} state=restarted enabled=yes
+ with_items: services | union(services_noarch)
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml
new file mode 100644
index 00000000..f40d4c22
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml
@@ -0,0 +1,15 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: congress db sync
+ shell: /usr/local/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head
+ when: inventory_hostname == haproxy_hosts.keys()[0]
+
+- name: start congress service
+ shell: systemctl start congress.service
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml
new file mode 100644
index 00000000..1883509b
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml
@@ -0,0 +1,28 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: create congress db
+ mysql_db:
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ name: "{{ item.db }}"
+ state: present
+ with_items: "{{ credentials }}"
+
+- name: create congress db user
+ mysql_user:
+ login_unix_socket: /var/run/mysqld/mysqld.sock
+ name: "{{ item[0].user }}"
+ password: "{{ item[0].password }}"
+ priv: "*.*:ALL,GRANT"
+ host: "{{ item[1] }}"
+ state: present
+ with_nested:
+ - "{{ credentials }}"
+ - ['%', 'localhost']
+
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml
new file mode 100644
index 00000000..19eed11c
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml
@@ -0,0 +1,37 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: install congress packages
+ pip: name={{ item }} state=present
+ with_items: packages
+
+- name: create congress etc directory
+ file: path=/etc/congress state=directory
+
+- name: update congress conf
+ template: src={{ item }} dest=/etc/congress/{{ item }}
+ backup=yes
+ with_items:
+ - congress.conf
+ - api-paste.ini
+ - policy.json
+
+- name: create congress service
+ copy: src=congress.service dest=/lib/systemd/system/
+
+- name: create congress service work dir
+ file: path=/var/lib/congress state=directory
+
+- name: link the congress service
+ file:
+ src: /lib/systemd/system/congress.service
+ dest: /etc/systemd/system/multi-user.target.wants/congress.service
+ state: link
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml
new file mode 100644
index 00000000..f8056d15
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml
@@ -0,0 +1,16 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include: congress_install.yml
+
+- include: congress_db.yml
+ when:
+ - inventory_hostname == haproxy_hosts.keys()[0]
+
+- include: congress_config.yml
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini
new file mode 100644
index 00000000..39be570b
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini
@@ -0,0 +1,34 @@
+[composite:congress]
+use = egg:Paste#urlmap
+/: congressversions
+/v1: congress_api_v1
+
+[pipeline:congressversions]
+pipeline = cors catch_errors congressversionapp
+
+[app:congressversionapp]
+paste.app_factory = congress.api.versions:Versions.factory
+
+[composite:congress_api_v1]
+use = call:congress.auth:pipeline_factory
+keystone = cors request_id catch_errors authtoken keystonecontext congress_api
+noauth = cors request_id catch_errors congress_api
+
+[app:congress_api]
+paste.app_factory = congress.service:congress_app_factory
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:catch_errors]
+paste.filter_factory = oslo_middleware:CatchErrors.factory
+
+[filter:keystonecontext]
+paste.filter_factory = congress.auth:CongressKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = congress
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf
new file mode 100644
index 00000000..0305b418
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf
@@ -0,0 +1,510 @@
+{% set memcached_servers = [] %}
+{% set rabbitmq_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% set _ = rabbitmq_servers.append('%s:5672'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+{% set rabbitmq_servers = rabbitmq_servers|join(',') %}
+[DEFAULT]
+
+#
+# From congress
+#
+# The host IP to bind to (string tmq_serversvalue)
+bind_host = {{ internal_ip }}
+
+# The port to bind to (port value)
+# Minimum value: 0
+# Maximum value: 65535
+bind_port = 1789
+
+# Thread pool size for eventlet. (integer value)
+#max_simultaneous_requests = 1024
+
+# Set this to true to enable TCP_KEEALIVE socket option on connections received
+# by the API server. (boolean value)
+#tcp_keepalive = false
+
+# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
+# applies if tcp_keepalive is true. Not supported on OS X. (integer value)
+#tcp_keepidle = 600
+
+# The path to the latest policy dump (string value)
+policy_path = /etc/congress/policy.json
+
+# The file containing datasource configuration (string value)
+#datasource_file = <None>
+
+# The absolute path to the congress repo (string value)
+#root_path = <None>
+
+# The number of worker processes to serve the congress API application.
+# (integer value)
+#api_workers = 1
+
+# The API paste config file to use (string value)
+#api_paste_config = api-paste.ini
+
+# The type of authentication to use (string value)
+auth_strategy = keystone
+
+# List of driver class paths to import. (list value)
+drivers = congress.datasources.neutronv2_driver.NeutronV2Driver,congress.datasources.glancev2_driver.GlanceV2Driver,congress.datasources.nova_driver.NovaDriver,congress.datasources.keystone_driver.KeystoneDriver,congress.datasources.ceilometer_driver.CeilometerDriver,congress.datasources.cinder_driver.CinderDriver,congress.datasources.swift_driver.SwiftDriver,congress.datasources.plexxi_driver.PlexxiDriver,congress.datasources.vCenter_driver.VCenterDriver,congress.datasources.cloudfoundryv2_driver.CloudFoundryV2Driver,congress.datasources.murano_driver.MuranoDriver,congress.datasources.ironic_driver.IronicDriver
+
+
+# The number of seconds to wait between synchronizing datasource config from
+# the database (integer value)
+#datasource_sync_period = 0
+
+# Sets the flag to False if you don't want the congress to execute actions.
+# (boolean value)
+#enable_execute_action = true
+
+# The flag to use congress new distributed architecture.Don't set it to True in
+# L release since the new architecture is under implementation. (boolean value)
+#distributed_architecture = false
+
+# Explicitly specify the temporary working directory (string value)
+#tempdir = <None>
+
+# Make exception message format errors fatal (boolean value)
+#fatal_exception_format_errors = false
+
+#
+# From oslo.log
+#
+
+# If set to true, the logging level will be set to DEBUG instead of the default
+# INFO level. (boolean value)
+# Note: This option can be changed without restarting.
+debug = True
+
+# DEPRECATED: If set to false, the logging level will be set to WARNING instead
+# of the default INFO level. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
+
+# The name of a logging configuration file. This file is appended to any
+# existing logging configuration files. For details about logging configuration
+# files, see the Python logging module documentation. Note that when logging
+# configuration files are used then all logging configuration is set in the
+# configuration file and other logging configuration options are ignored (for
+# example, logging_context_format_string). (string value)
+# Note: This option can be changed without restarting.
+# Deprecated group/name - [DEFAULT]/log_config
+#log_config_append = <None>
+
+# Defines the format string for %%(asctime)s in log records. Default:
+# %(default)s . This option is ignored if log_config_append is set. (string
+# value)
+#log_date_format = %Y-%m-%d %H:%M:%S
+
+# (Optional) Name of log file to send logging output to. If no default is set,
+# logging will go to stderr as defined by use_stderr. This option is ignored if
+# log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
+log_file = congress.log
+
+# (Optional) The base directory used for relative log_file paths. This option
+# is ignored if log_config_append is set. (string value)
+# Deprecated group/name - [DEFAULT]/logdir
+log_dir = /var/log/congress
+
+# Uses logging handler designed to watch file system. When log file is moved or
+# removed this handler will open a new log file with specified path
+# instantaneously. It makes sense only if log_file option is specified and
+# Linux platform is used. This option is ignored if log_config_append is set.
+# (boolean value)
+#watch_log_file = false
+
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. This option is ignored if log_config_append
+# is set. (boolean value)
+#use_syslog = false
+
+# Syslog facility to receive log lines. This option is ignored if
+# log_config_append is set. (string value)
+#syslog_log_facility = LOG_USER
+
+# Log output to standard error. This option is ignored if log_config_append is
+# set. (boolean value)
+#use_stderr = true
+
+# Format string to use for log messages with context. (string value)
+#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
+
+# Format string to use for log messages when context is undefined. (string
+# value)
+#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
+
+# Additional data to append to log message when logging level for the message
+# is DEBUG. (string value)
+#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
+
+# Prefix each line of exception output with this format. (string value)
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
+
+# Defines the format string for %(user_identity)s that is used in
+# logging_context_format_string. (string value)
+#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
+
+# List of package logging levels in logger=LEVEL pairs. This option is ignored
+# if log_config_append is set. (list value)
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+
+# Enables or disables publication of error events. (boolean value)
+#publish_errors = false
+
+# The format for an instance that is passed with the log message. (string
+# value)
+#instance_format = "[instance: %(uuid)s] "
+
+# The format for an instance UUID that is passed with the log message. (string
+# value)
+#instance_uuid_format = "[instance: %(uuid)s] "
+
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
+
+[cors]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
+# slash. Example: https://horizon.example.com (list value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,PUT,POST,DELETE,PATCH
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id
+
+
+[database]
+
+#
+# From oslo.db
+#
+
+# DEPRECATED: The file name to use with SQLite. (string value)
+# Deprecated group/name - [DEFAULT]/sqlite_db
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: Should use config option connection or slave_connection to connect
+# the database.
+#sqlite_db = oslo.sqlite
+
+# If True, SQLite uses synchronous mode. (boolean value)
+# Deprecated group/name - [DEFAULT]/sqlite_synchronous
+#sqlite_synchronous = true
+
+# The back end to use for the database. (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
+#backend = sqlalchemy
+
+# The SQLAlchemy connection string to use to connect to the database. (string
+# value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
+connection = mysql+pymysql://congress:{{ CONGRESS_DBPASS }}@{{ db_host }}/congress
+
+# The SQLAlchemy connection string to use to connect to the slave database.
+# (string value)
+#slave_connection = <None>
+
+# The SQL mode to be used for MySQL sessions. This option, including the
+# default, overrides any server-set SQL mode. To use whatever SQL mode is set
+# by the server configuration, set this to no value. Example: mysql_sql_mode=
+# (string value)
+#mysql_sql_mode = TRADITIONAL
+
+# Timeout before idle SQL connections are reaped. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
+#idle_timeout = 3600
+
+# Minimum number of SQL connections to keep open in a pool. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
+#min_pool_size = 1
+
+# Maximum number of SQL connections to keep open in a pool. Setting a value of
+# 0 indicates no limit. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
+#max_pool_size = 5
+
+# Maximum number of database connection retries during startup. Set to -1 to
+# specify an infinite retry count. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
+#max_retries = 10
+
+# Interval between retries of opening a SQL connection. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
+#retry_interval = 10
+
+# If set, use this value for max_overflow with SQLAlchemy. (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
+#max_overflow = 50
+
+# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
+# value)
+# Minimum value: 0
+# Maximum value: 100
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
+#connection_debug = 0
+
+# Add Python stack traces to SQL as comment strings. (boolean value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
+#connection_trace = false
+
+# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
+#pool_timeout = <None>
+
+# Enable the experimental use of database reconnect on connection lost.
+# (boolean value)
+#use_db_reconnect = false
+
+# Seconds between retries of a database transaction. (integer value)
+#db_retry_interval = 1
+
+# If True, increases the interval between retries of a database operation up to
+# db_max_retry_interval. (boolean value)
+#db_inc_retry_interval = true
+
+# If db_inc_retry_interval is set, the maximum seconds between retries of a
+# database operation. (integer value)
+#db_max_retry_interval = 10
+
+# Maximum retries in case of connection error or deadlock error before error is
+# raised. Set to -1 to specify an infinite retry count. (integer value)
+#db_max_retries = 20
+
+
+[keystone_authtoken]
+
+#
+# From keystonemiddleware.auth_token
+#
+
+# Complete "public" Identity API endpoint. This endpoint should not be an
+# "admin" endpoint, as it should be accessible by all end users.
+# Unauthenticated clients are redirected to this endpoint to authenticate.
+# Although this endpoint should ideally be unversioned, client support in the
+# wild varies. If you're using a versioned v2 endpoint here, then this should
+# *not* be the same endpoint the service user utilizes for validating tokens,
+# because normal end users may not be able to reach that endpoint. (string
+# value)
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+project_name = service
+password = {{ CONGRESS_PASS }}
+username = congress
+auth_type = password
+# API version of the admin Identity API endpoint. (string value)
+
+# Do not handle authorization requests within the middleware, but delegate the
+# authorization decision to downstream WSGI components. (boolean value)
+#delay_auth_decision = false
+
+# Request timeout value for communicating with Identity API server. (integer
+# value)
+#http_connect_timeout = <None>
+
+# How many times are we trying to reconnect when communicating with Identity
+# API Server. (integer value)
+#http_request_max_retries = 3
+
+# Request environment key where the Swift cache object is stored. When
+# auth_token middleware is deployed with a Swift cache, use this option to have
+# the middleware share a caching backend with swift. Otherwise, use the
+# ``memcached_servers`` option instead. (string value)
+#cache = <None>
+
+# Required if identity server requires client certificate (string value)
+#certfile = <None>
+
+# Required if identity server requires client certificate (string value)
+#keyfile = <None>
+
+# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
+# Defaults to system CAs. (string value)
+#cafile = <None>
+
+# Verify HTTPS connections. (boolean value)
+#insecure = false
+
+# The region in which the identity server can be found. (string value)
+#region_name = <None>
+
+# Directory used to cache files related to PKI tokens. (string value)
+#signing_dir = <None>
+
+# Optionally specify a list of memcached server(s) to use for caching. If left
+# undefined, tokens will instead be cached in-process. (list value)
+# Deprecated group/name - [keystone_authtoken]/memcache_servers
+#memcached_servers = <None>
+
+# In order to prevent excessive effort spent validating tokens, the middleware
+# caches previously-seen tokens for a configurable duration (in seconds). Set
+# to -1 to disable caching completely. (integer value)
+#token_cache_time = 300
+
+# Determines the frequency at which the list of revoked tokens is retrieved
+# from the Identity service (in seconds). A high number of revocation events
+# combined with a low cache duration may significantly reduce performance. Only
+# valid for PKI tokens. (integer value)
+#revocation_cache_time = 10
+
+# (Optional) If defined, indicate whether token data should be authenticated or
+# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
+# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+# cache. If the value is not one of these options or empty, auth_token will
+# raise an exception on initialization. (string value)
+# Allowed values: None, MAC, ENCRYPT
+#memcache_security_strategy = None
+
+# (Optional, mandatory if memcache_security_strategy is defined) This string is
+# used for key derivation. (string value)
+#memcache_secret_key = <None>
+
+# (Optional) Number of seconds memcached server is considered dead before it is
+# tried again. (integer value)
+#memcache_pool_dead_retry = 300
+
+# (Optional) Maximum total number of open connections to every memcached
+# server. (integer value)
+#memcache_pool_maxsize = 10
+
+# (Optional) Socket timeout in seconds for communicating with a memcached
+# server. (integer value)
+#memcache_pool_socket_timeout = 3
+
+# (Optional) Number of seconds a connection to memcached is held unused in the
+# pool before it is closed. (integer value)
+#memcache_pool_unused_timeout = 60
+
+# (Optional) Number of seconds that an operation will wait to get a memcached
+# client connection from the pool. (integer value)
+#memcache_pool_conn_get_timeout = 10
+
+# (Optional) Use the advanced (eventlet safe) memcached client pool. The
+# advanced pool will only work under python 2.x. (boolean value)
+#memcache_use_advanced_pool = false
+
+# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
+# middleware will not ask for service catalog on token validation and will not
+# set the X-Service-Catalog header. (boolean value)
+#include_service_catalog = true
+
+# Used to control the use and type of token binding. Can be set to: "disabled"
+# to not check token binding. "permissive" (default) to validate binding
+# information if the bind type is of a form known to the server and ignore it
+# if not. "strict" like "permissive" but if the bind type is unknown the token
+# will be rejected. "required" any form of token binding is needed to be
+# allowed. Finally the name of a binding method that must be present in tokens.
+# (string value)
+#enforce_token_bind = permissive
+
+# If true, the revocation list will be checked for cached tokens. This requires
+# that PKI tokens are configured on the identity server. (boolean value)
+#check_revocations_for_cached = false
+
+# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm
+# or multiple. The algorithms are those supported by Python standard
+# hashlib.new(). The hashes will be tried in the order given, so put the
+# preferred one first for performance. The result of the first hash will be
+# stored in the cache. This will typically be set to multiple values only while
+# migrating from a less secure algorithm to a more secure one. Once all the old
+# tokens are expired this option should be set to a single value for better
+# performance. (list value)
+#hash_algorithms = md5
+
+# Authentication type to load (string value)
+# Deprecated group/name - [keystone_authtoken]/auth_plugin
+#auth_type = <None>
+
+# Config Section from which to load plugin specific options (string value)
+#auth_section = <None>
+
+
+[oslo_policy]
+
+#
+# From oslo.policy
+#
+
+# The JSON file that defines policies. (string value)
+# Deprecated group/name - [DEFAULT]/policy_file
+#policy_file = policy.json
+
+# Default rule. Enforced when a requested rule is not found. (string value)
+# Deprecated group/name - [DEFAULT]/policy_default_rule
+#policy_default_rule = default
+
+# Directories where policy configuration files are stored. They can be relative
+# to any directory in the search path defined by the config_dir option, or
+# absolute paths. The file defined by policy_file must exist for these
+# directories to be searched. Missing or empty directories are ignored. (multi
+# valued)
+# Deprecated group/name - [DEFAULT]/policy_dirs
+#policy_dirs = policy.d
+
+[oslo_messaging_rabbit]
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_hosts = {{ rabbitmq_servers }}
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json
new file mode 100644
index 00000000..4476051d
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json
@@ -0,0 +1,6 @@
+{
+ "context_is_admin": "role:admin",
+ "admin_only": "rule:context_is_admin",
+ "regular_user": "",
+ "default": "rule:admin_only"
+}
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml
new file mode 100644
index 00000000..1cc4645e
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml
@@ -0,0 +1,21 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+packages:
+ - congress
+ - python-congressclient
+ - python-cloudfoundryclient
+
+service:
+ - congress
+
+credentials:
+ - user: congress
+ db: congress
+ password: "{{ CONGRESS_DBPASS }}"
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml
new file mode 100644
index 00000000..f6fef749
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml
@@ -0,0 +1,12 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+packages_noarch: []
+
+services_noarch: []
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg b/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg
index c0a0747d..5fbcc9d9 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg
@@ -190,6 +190,17 @@ listen proxy-aodh_api_cluster
server {{ host }} {{ ip }}:8042 weight 1 check inter 2000 rise 2 fall 5
{% endfor %}
+listen proxy-congress_api_cluster
+ bind {{ internal_vip.ip }}:1789
+ bind {{ public_vip.ip }}:1789
+ mode tcp
+ option tcp-check
+ option tcplog
+ balance source
+{% for host,ip in haproxy_hosts.items() %}
+ server {{ host }} {{ ip }}:1789 weight 1 check inter 2000 rise 2 fall 5
+{% endfor %}
+
listen proxy-dashboarad
bind {{ public_vip.ip }}:80
mode http
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
index fa7841e0..baaf89e1 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
@@ -9,7 +9,6 @@
---
packages_noarch:
- python-keystoneclient
- - python3-keystoneclient
services_noarch: []
os_services:
@@ -17,9 +16,9 @@ os_services:
type: identity
region: RegionOne
description: "OpenStack Identity"
- publicurl: "http://{{ public_vip.ip }}:5000/v3"
- internalurl: "http://{{ internal_vip.ip }}:5000/v3"
- adminurl: "http://{{ internal_vip.ip }}:35357/v3"
+ publicurl: "http://{{ public_vip.ip }}:5000/v2.0"
+ internalurl: "http://{{ internal_vip.ip }}:5000/v2.0"
+ adminurl: "http://{{ internal_vip.ip }}:35357/v2.0"
- name: glance
type: image
@@ -33,9 +32,9 @@ os_services:
type: compute
region: RegionOne
description: "OpenStack Compute"
- publicurl: "http://{{ public_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
- internalurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
- adminurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
+ publicurl: "http://{{ public_vip.ip }}:8774/v2/%(tenant_id)s"
+ internalurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s"
+ adminurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s"
- name: neutron
type: network
@@ -65,25 +64,25 @@ os_services:
type: volume
region: RegionOne
description: "OpenStack Block Storage"
- publicurl: "http://{{ public_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
- internalurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
- adminurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
+ publicurl: "http://{{ public_vip.ip }}:8776/v1/%(tenant_id)s"
+ internalurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s"
+ adminurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s"
- name: cinderv2
type: volumev2
region: RegionOne
description: "OpenStack Block Storage v2"
- publicurl: "http://{{ public_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
- internalurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
- adminurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
+ publicurl: "http://{{ public_vip.ip }}:8776/v2/%(tenant_id)s"
+ internalurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s"
+ adminurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s"
- name: heat
type: orchestration
region: RegionOne
description: "OpenStack Orchestration"
- publicurl: "http://{{ public_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
- internalurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
- adminurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
+ publicurl: "http://{{ public_vip.ip }}:8004/v1/%(tenant_id)s"
+ internalurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s"
+ adminurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s"
- name: heat-cfn
type: cloudformation
@@ -93,13 +92,21 @@ os_services:
internalurl: "http://{{ internal_vip.ip }}:8000/v1"
adminurl: "http://{{ internal_vip.ip }}:8000/v1"
+ - name: congress
+ type: policy
+ region: RegionOne
+ description: "OpenStack Policy Service"
+ publicurl: "http://{{ public_vip.ip }}:1789"
+ internalurl: "http://{{ internal_vip.ip }}:1789"
+ adminurl: "http://{{ internal_vip.ip }}:1789"
+
# - name: swift
# type: object-store
# region: RegionOne
# description: "OpenStack Object Storage"
-# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
-# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
-# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
+# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
os_users:
- user: admin
@@ -165,8 +172,15 @@ os_users:
tenant: service
tenant_description: "Service Tenant"
+ - user: congress
+ password: "{{ CONGRESS_PASS }}"
+ email: congress@admin.com
+ role: admin
+ tenant: service
+ tenant_description: "Service Tenant"
+
- user: demo
- password: "{{ DEMO_PASS }}"
+ password: ""
email: heat@demo.com
role: heat_stack_user
tenant: demo
@@ -178,4 +192,3 @@ os_users:
# role: admin
# tenant: service
# tenant_description: "Service Tenant"
-